Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1315

Support autosigning with a ca certificate bundle file

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 5.1.0
    • Component/s: None
    • Labels:
    • Template:
    • Team:
      Platform Core
    • Sub-team:
    • Story Points:
      3
    • Sprint:
      Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22
    • Release Notes:
      Bug Fix
    • QA Risk Assessment:
      Automate

      Description

      Currently, the CA code returns the contents of $cadir/ca_crt.pem to agents who hit /v1/certificate/ca, which they do in order to bootstrap a trust relationship. The agents hit this endpoint if there isn't a localcacert on their filesystem, save the results to $ssldir/certs/ca.pem, and use the returned certificate to validate subsequent server connections.

      While the agents will happily use a certificate chain at their localcacert location to validate server connections, and puppet cert generate hostname.dom.ain on the master will select and use the correct CA cert out of a chain in ca_crt.pem, the autosigning code errors when it encounters such a file:

      Error: Could not request certificate: Error 500 on SERVER: Internal Server Error: 
      java.lang.IllegalArgumentException: The PEM stream must contain exactly 1 certificate
      

      I'm open to implementation options, either to permit >1 cert in the file (as puppet cert generate seems to do just fine, presumably by matching the private key to one of the certs in the bundle?) or by allowing a separate file to be returned by the /certificate/ca endpoint which is disconnected from the actual signing cert file.

        Issue Links

          Activity

          Hide
          broberts Ben Roberts added a comment -

          Would like to see this implemented so that the intermediate CA scenarios described in the "External CA" document can be implemented using puppet's internal certificate signing and distribution mechanism. Ideally we'd like to be able to manually sign master certificates, and autosign agent certificates using different subordinates of our internal PKI.

          Show
          broberts Ben Roberts added a comment - Would like to see this implemented so that the intermediate CA scenarios described in the "External CA" document can be implemented using puppet's internal certificate signing and distribution mechanism. Ideally we'd like to be able to manually sign master certificates, and autosign agent certificates using different subordinates of our internal PKI.
          Hide
          moses Moses Mendoza added a comment -

          Reading the description of this ticket, it seems like the bug being discussed is explicitly surfaced when trying to use autosigning with a CA cert bundle. I've updated the ticket name to reflect that - please let me know if that's not accurate.

          Show
          moses Moses Mendoza added a comment - Reading the description of this ticket, it seems like the bug being discussed is explicitly surfaced when trying to use autosigning with a CA cert bundle. I've updated the ticket name to reflect that - please let me know if that's not accurate.
          Hide
          moses Moses Mendoza added a comment - - edited

          Facility for extraction of ca cert from a chain with validation of the pubkey merged to jvm-ssl-utils/master, here: https://github.com/puppetlabs/jvm-ssl-utils/commit/3d63246bfd86f4afb745648a1d55af880c7907a1

          Show
          moses Moses Mendoza added a comment - - edited Facility for extraction of ca cert from a chain with validation of the pubkey merged to jvm-ssl-utils/master, here: https://github.com/puppetlabs/jvm-ssl-utils/commit/3d63246bfd86f4afb745648a1d55af880c7907a1
          Hide
          moses Moses Mendoza added a comment -

          update to cert extraction to expect a key pair merged to jvm-ssl-utils/master https://github.com/puppetlabs/jvm-ssl-utils/commit/82c694bb738bdbae387f99020ff5674ff1920fd8

          Show
          moses Moses Mendoza added a comment - update to cert extraction to expect a key pair merged to jvm-ssl-utils/master https://github.com/puppetlabs/jvm-ssl-utils/commit/82c694bb738bdbae387f99020ff5674ff1920fd8
          Show
          moses Moses Mendoza added a comment - merged to puppetserver/master at https://github.com/puppetlabs/puppetserver/commit/9167be99d3eb75c0688b038441bac90c73b02c0f

            People

            • Assignee:
              qa qa
              Reporter:
              eric.sorenson Eric Sorenson
            • Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Agile